Notarization security issue

[mifi]

Apologies if creating an issue is not the right thing to do, but the discussions page doesn't seem to exist anymore. I'm trying to understand this whole Apple App Specific password thing. It's vaguely described by Apple, but I'm very confused and cannot find the answer to this question:

Which access privileges does an App Specific Password actually give the user? Surely it gives access to notarizing any apps contained within that Apple ID. And I see from the poor Apple description that:

the app can access information like mail, contacts, and calendars that you store in iCloud

So surely it gives access to more things than just notarizing (and notarizing is not even described there). So I'm wondering, does an App Specific password basically give full access to that Apple ID, to perform any action on behalf of the account owner? Does it give access to all teams/apps that the Apple ID has access to? (I don't see any way to restrict the app specific password in any way).

Now the reason why I think this could be a security issue for electron-builder:

If developers (like me) use electron-builder with an app-specific password on their CI server like github actions, doesn't this mean that anyone with push access to any repository that uses this has full access to the Apple ID of the developer who happened to put their app-specific password into a APPLE_APP_SPECIFIC_PASSWORD environment variable (github secret or similar)? Also guests can submit PRs that will take-over the owner's Apple ID (if the PR slips through a review).

If this is the case (even if only access to mail, contacts, and calendars), I think good idea to strongly recommend developers to NOT use APPLE_APP_SPECIFIC_PASSWORD in CI like github actions. Maybe we should instead recommend apiKey/apiIssuer which is supported by @electron/notarize, because those can be at least limited to a specific project. Or am I missing something else?